System and method for denial of service attack mitigation using cloud services

摘要

A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber's network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping.

主权项

1. A method for mitigating an attack on a network utilizing a subscriber monitoring device and a service provider mitigation system, the method comprising:
the subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network; the subscriber monitoring device and service provider mitigation system sending and receiving asynchronous status messages to each other using a stateless protocol; the subscriber monitoring device determining if the subscriber network is under attack and determining a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack; the subscriber monitoring device requesting mitigation from the service provider mitigation system via a mitigation request when the subscriber network is under attack, wherein said mitigation request includes the attack fingerprint; the service provider mitigation system providing mitigation, the mitigation including dropping packets generated by attackers based on, at least in part, the attack fingerprint while the subscriber network is under attack, the mitigation being provided in response to the requested mitigation; and the subscriber monitoring device sending a request to terminate the mitigation in response to an amount of network traffic dropped by the service provider mitigation system as indicated by status messages from the service provider mitigation system and an amount of network traffic received from the service provider mitigation system following the mitigation, wherein the service provider mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network, wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent, wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.